65 Million Tumblr Passwords for Sale on TheRealDeal

In the last few weeks there have been releases of some very high profile database breaches, linkedin, myspace and now tumblr.

All of these sites have been hit with hacks, and resulted in massive data breaches, yet these hacks are only now coming to the surface.

Tumblr has now confirmed it was hacked in a data breach from 2013, which affected a set of users “Email addresses and Passwords”, but Tumblr has refused to reveal how many people were affected. With the release of the data, for sale on The Real Deal darknet marketplace, it has now been confirmed that there are 65 Million records available.

Have i Been pwned has obtained a copy of the stolen data set, allowing people to check if their accounts have been breached. Records show that there are currently 65,469,298 unique emails and passwords.

Tumblr has at least done one thing correctly, the passwords were both hashed and salted. Salting is adding additional random bytes at the end of the password, this makes reverse hashing much harder, even when using the weak encryption of SHA1.

The hacker with this latest breach should come as no surprise to those who follow these kinds of leaks. Peace, has offered the data for a small fee of 0.4255 BTC or $150, the reason for the relatively small price is due to the hashing and salting of the data, which is essentially a massive database of email addresses.

Other databases are also available from Peace (Profile name on the market: peace_of_mind), with the linkedin one being sold for 6 BTC, again on the same darknet marketplace as the current one is being sold.

The leak which is now listed on have I been pwned, is the third largest ever, after the linkedin hack (Also completed by Peace) and the Adobe hack which was for 152 Million accounts. Any affected accounts should have had contact with Tumblr advising to change/reset passwords, after the announcement of the hack.

What all of these hacks have in common is they are actually a few years old, yet the data has been hidden and dormant, and now has arisen to the top, and is available for sale. Whether there will be more leaks to follow, only time will tell.

Another question is, who has been sitting on this data for all of this time, and why? Why release the data now?

I guess these are questions, that we don’t/won’t have the answers too at the moment, but they could be answered within weeks or even months.

Peace is another hacker to keep a close eye on, along with FineasPhisher, who seem to be excelling at pwning massive databases or even sites.